From bd86a52f0900363565e7223a0b1facf76006edf0 Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Thu, 26 Oct 2023 15:39:09 -0400 Subject: [PATCH] Mask /sys/devices/virtual/powercap I don't really like this solution because it can't be undone by `--security-opt unmask=all` but I don't see another way to make this retroactive. We can potentially change things up to do this the right way with 5.0 (actually have it in the list of masked paths, as opposed to adding at spec finalization as now). Signed-off-by: Matthew Heon --- libpod/container_internal_common.go | 2 ++ libpod/container_internal_freebsd.go | 4 ++++ libpod/container_internal_linux.go | 6 ++++++ test/e2e/run_test.go | 23 +++++++++++++++++++++++ 4 files changed, 35 insertions(+) diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 89aa607593..a2d3e69eb8 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -679,6 +679,8 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc } } + c.addMaskedPaths(&g) + return g.Config, cleanupFunc, nil } diff --git a/libpod/container_internal_freebsd.go b/libpod/container_internal_freebsd.go index fe3d238d75..e277aaca92 100644 --- a/libpod/container_internal_freebsd.go +++ b/libpod/container_internal_freebsd.go @@ -385,3 +385,7 @@ func (c *Container) getPlatformRunPath() (string, error) { } return runPath, nil } + +func (c *Container) addMaskedPaths(g *generate.Generator) { + // There are currently no FreeBSD-specific masked paths +} diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 2a9bb9f86a..4f1f3790dc 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -805,3 +805,9 @@ func (c *Container) makePlatformMtabLink(etcInTheContainerFd, rootUID, rootGID i func (c *Container) getPlatformRunPath() (string, error) { return "/run", nil } + +func (c *Container) addMaskedPaths(g *generate.Generator) { + if !c.config.Privileged { + g.AddLinuxMaskedPaths("/sys/devices/virtual/powercap") + } +} diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index ae8db35d9a..a74ecf78a7 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -413,6 +413,29 @@ var _ = Describe("Podman run", func() { Expect(session.OutputToString()).To(Not(BeEmpty())) }) + It("podman run powercap is masked", func() { + Skip("CI VMs do not have access to powercap") + + testCtr1 := "testctr" + run := podmanTest.Podman([]string{"run", "-d", "--name", testCtr1, ALPINE, "top"}) + run.WaitWithDefaultTimeout() + Expect(run).Should(ExitCleanly()) + + exec := podmanTest.Podman([]string{"exec", "-ti", testCtr1, "ls", "/sys/devices/virtual/powercap"}) + exec.WaitWithDefaultTimeout() + Expect(exec).To(ExitWithError()) + + testCtr2 := "testctr2" + run2 := podmanTest.Podman([]string{"run", "-d", "--privileged", "--name", testCtr2, ALPINE, "top"}) + run2.WaitWithDefaultTimeout() + Expect(run2).Should(ExitCleanly()) + + exec2 := podmanTest.Podman([]string{"exec", "-ti", testCtr2, "ls", "/sys/devices/virtual/powercap"}) + exec2.WaitWithDefaultTimeout() + Expect(exec2).Should(ExitCleanly()) + Expect(exec2.OutputToString()).Should(Not(BeEmpty())) + }) + It("podman run security-opt unmask on /sys/fs/cgroup", func() { SkipIfCgroupV1("podman umask on /sys/fs/cgroup will fail with cgroups V1")